cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1700
Views
0
Helpful
4
Replies
Highlighted

Session VRF for PPP users on 7201

I have this annoying problem I am struggling to solve.  I am trying to put individual users into unique VRF.  So I have setup this radius detail:

nicholas        Cleartext-Password := "nicholas"

        Service-Type = Framed-User,

        Framed-Protocol = PPP,

        Framed-IP-Address = 172.16.3.33,

        Framed-IP-Netmask = 255.255.255.255,

        Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding vpn1",

        Cisco-AVPair = "lcp:interface-config#2=ip unnumbered loopback5"

I have also used:

        cisco-avpair="ip:vrf-id=vpn1",

        cisco-avpair="ip:ip-unnumbered=lo5"

The PPP client gets the correct IP address, and it picks up the loopback route in the correct VRF.  However the virtual-access interface does not appear in the VRF and stays in the global routing table.  So its half-in half-out Any ideas? 

My LNS is a 7201 running C7200-SPSERVICESK9-M), Version 12.4(22)T

Config on PPP server:

interface Virtual-Template2

ip unnumbered loopback 5

ip mtu 1492

no ip route-cache cef

no peer default ip address

ppp mru match

ppp authentication pap chap

ip vrf vpn1

rd 65001:1

route-target export 1:1

route-target import 1:1

aaa new-model

aaa authentication ppp default group radius

aaa authorization network default group radius local

aaa accounting exec default

action-type start-stop

group radius

aaa accounting system default

action-type start-stop

group radius

interface Loopback5

ip vrf forwarding vpn1

ip address 172.16.4.1 255.255.255.255

!

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

pppoe enable group global

LNS#show ip route vrf vpn1

Routing Table: vpn1

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/32 is subnetted, 1 subnets

C       172.16.4.1 is directly connected, Loopback5

     192.168.254.0/32 is subnetted, 1 subnets

B       192.168.254.254 [200/0] via 10.0.0.2, 06:54:54

     192.168.1.0/30 is subnetted, 1 subnets

B       192.168.1.0 [200/0] via 10.0.0.1, 05:13:40

Client:

pppoeclient#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     172.16.0.0/32 is subnetted, 2 subnets

C       172.16.3.33 is directly connected, Dialer1

C       172.16.4.1 is directly connected, Dialer1

S*   0.0.0.0/0 is directly connected, Dialer1

Any suggestions greatly appreciated

4 REPLIES 4
Highlighted

I found this debug which hints at the error - I wish I could find the debug which says "THIS IS THE PROBLEM" lol

LNS#debug vtemplate event

Virtual Template events debugging is on

LNS#

*Oct 15 18:17:28.067: VT:Sending vaccess request, id 0x4600008B

*Oct 15 18:17:28.075: VT:Processing vaccess requests, 1 outstanding

*Oct 15 18:17:28.079: VT:Create and clone interface, Vt2

*Oct 15 18:17:28.083: VT[Vi3]:Reuse interface, recycle queue size 1

*Oct 15 18:17:28.087: VT[Vi3]:Cloning a recycled vaccess

*Oct 15 18:17:28.207: VT[Vi3]:Processing vaccess response, id 0x4600008B, result success (1)

*Oct 15 18:17:28.227: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

*Oct 15 18:17:28.263: VT:Sending vaccess request, id 0xAF00005F

*Oct 15 18:17:28.267: VT:Processing vaccess requests, 1 outstanding

*Oct 15 18:17:28.491: VT[Vi3]:Processing vaccess response, id 0xAF00005F, result clone error (4)

*Oct 15 18:17:28.543: VT[Vi3]:Processing request to free vaccess

*Oct 15 18:17:28.547: VT[Vi3]:Waiting for the free request to finish

*Oct 15 18:17:28.551: VT[Vi3]:Vaccess free request complete, reference id 47

*Oct 15 18:17:28.563: %LINK-3-UPDOWN: Interface Virt

LNS#ual-Access3, changed state to down

*Oct 15 18:17:28.567: VT[Vi3]:Interface and line protocol are down, proceed to free

*Oct 15 18:17:28.579: VT:Clean up dirty vaccess queue, size 1

*Oct 15 18:17:28.583: VT[Vi3]:Found a dirty vaccess cloned from vtemplate/AAA

*Oct 15 18:17:28.583: VT[Vi3]:Unclone vaccess, 2 command(s) to be removed

*Oct 15 18:17:28.699: VT:Found a AAA buf for AAA clone blk.

*Oct 15 18:17:28.703: VT[Vi3]:Unclone vaccess, 3 command(s) to be removed

*Oct 15 18:17:28.791: VT[Vi3]:Hardware address ca00.6390.0008

*Oct 15 18:17:28.799: VT[Vi3]:Add vaccess to recycle queue, queue size 1

Highlighted

I found another - not sure what exactly is happening here

LNS#debug vtemplate cloning

Virtual Template cloning debugging is on

LNS#

*Oct 15 18:22:02.375: VT[Vi3]:Cloning a recycled vaccess

*Oct 15 18:22:02.379: VT[Vi3]:Added new vtemplate cloneblk, now cloning from vtemplate

*Oct 15 18:22:02.383: VT[Vi3]:Clone Vaccess from Virtual-Template2 (53 bytes)

*Oct 15 18:22:02.387: VT[Vi3]:no ip address

*Oct 15 18:22:02.387: VT[Vi3]:ip mtu 1492

*Oct 15 18:22:02.391: VT[Vi3]:no ip route-cache cef

*Oct 15 18:22:02.391: VT[Vi3]:end

*Oct 15 18:22:02.395: VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (217)

*Oct 15 18:22:02.395: VT[Vi3]:no ip address

*Oct 15 18:22:02.399: VT[Vi3]:ip mtu 1492

*Oct 15 18:22:02.399: VT[Vi3]:no ip route-cache cef

*Oct 15 18:22:02.403: VT[Vi3]:end

*Oct 15 18:22:02.511: VT[Vi3]:MTUs ip 1492, sub 1500, max 1500, default 1500

*Oct 15 18:22:02.531: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

LNS#

*Oct 15 18:22:02.575: VT[Vi3]:Added new AAA cloneblk, now cloning from vtemplate/AAA

*Oct 15 18:22:02.579: VT[Vi3]:Clone Vaccess from AAA (56 bytes)

*Oct 15 18:22:02.579: VT[Vi3]:ip vrf forwarding vpn1

*Oct 15 18:22:02.583: VT[Vi3]:ip ip unnumbered Loopback 5

*Oct 15 18:22:02.583: VT[Vi3]:end

*Oct 15 18:22:02.587: VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (217)

*Oct 15 18:22:02.591: VT[Vi3]:ip vrf forwarding vpn1

*Oct 15 18:22:02.591: VT[Vi3]:ip ip unnumbered Loopback 5

*Oct 15 18:22:02.595: VT[Vi3]:end

*Oct 15 18:22:02.855: VT[Vi3]:MTUs ip 1492, sub 1492, max 1492, default 1492

*Oct 15 18:22:02.927: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

*Oct 15 18:22:02.943: VT[Vi3]:Unclone vaccess, 2 command(s) to be removed

*Oct 15 18:22:02.947: VT[Vi3]:default ip ip unnumbered Loopback 5

*Oct 15 18:22:02.947: VT[Vi3]:default ip vrf forwarding vpn1

*Oct 15 18:22:02.951: VT[Vi3]:end

*Oct 15 18:22:02.955: VT[Vi3]:Applying config

LNS# commands on process "VTEMPLATE Background Mgr" (217)

*Oct 15 18:22:02.955: VT[Vi3]:default ip ip unnumbered Loopback 5

*Oct 15 18:22:02.959: VT[Vi3]:default ip vrf forwarding vpn1

*Oct 15 18:22:02.959: VT[Vi3]:end

*Oct 15 18:22:03.095: VT[Vi3]:Remove cloneblk AAA from vaccess with vtemplate/AAA

*Oct 15 18:22:03.099: VT[Vi3]:Unclone vaccess, 3 command(s) to be removed

*Oct 15 18:22:03.099: VT[Vi3]:default ip route-cache cef

*Oct 15 18:22:03.103: VT[Vi3]:default ip mtu 1492

*Oct 15 18:22:03.103: VT[Vi3]:default ip address

*Oct 15 18:22:03.107: VT[Vi3]:end

*Oct 15 18:22:03.111: VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (217)

*Oct 15 18:22:03.111: VT[Vi3]:default ip route-cache cef

*Oct 15 18:22:03.115: VT[Vi3]:default ip mtu 1492

*Oct 15 18:22:03.115: VT[Vi3]:default ip address

*Oct 15 18:22:03.119: VT[Vi3]:end

*Oct 15 18:22:03.263: VT[Vi3]:Remove cloneblk vtemplate from vaccess with vtemplate

LNS#u all

Highlighted

Solved.  After a lot more debug and cross-referencing I came to the conclusion the router was simply ignoring the avpairs.  A little more research led me to this commands:

radius-server vsa send authentication

http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdrad.html#wp1001063

It would seem my NAS needs to think the ciscoav is vendor specific attribute, bit confused by that however possibly it would indicate some sort of syntax problem, though wireshark capture would indicate not.  Oh well it works now!

LNS#show ip route vrf vpn1

Routing Table: vpn1

Gateway of last resort is not set

     172.16.0.0/32 is subnetted, 2 subnets

C       172.16.3.33 is directly connected, Virtual-Access3

C       172.16.6.1 is directly connected, Loopback5

     192.168.254.0/32 is subnetted, 1 subnets

B       192.168.254.254 [200/0] via 10.0.0.2, 01:39:08

     192.168.1.0/30 is subnetted, 1 subnets

B       192.168.1.0 [200/0] via 10.0.0.1, 01:39:08

Highlighted

How to close discussion I solved myself....